Jeff’s Note #
Unlike generic exam dumps, ADH analyzes this scenario through the lens of a Real-World Site Reliability Engineer (SRE).
For SOA-C02 candidates, the confusion often lies in why EC2 instances do not show up in Systems Manager despite using the correct AMI. In production, this is about knowing exactly which IAM role permissions and agent configurations are mandatory for Systems Manager to recognize and manage EC2 instances. Let’s drill down.
The Certification Drill (Simulated Question) #
Scenario #
OptiNimbus Inc. recently launched a cloud environment for their critical production workloads. Their Site Reliability Engineering (SRE) team deployed four new Amazon EC2 instances using the standard Amazon Linux 2 AMI. The team intends to use AWS Systems Manager to automate patching and operational tasks on these instances remotely. However, when checking the Systems Manager console, the instances do not appear as managed instances.
The Requirement #
Identify the necessary action to ensure the instances are visible and manageable via AWS Systems Manager.
The Options #
- A) Log in via SSH to each instance, then install the latest Systems Manager Agent manually. Configure the agent to start automatically on boot.
- B) Generate a TLS certificate in AWS Certificate Manager, import it into each instance, and configure the Systems Manager Agent to use this certificate for secured communications.
- C) SSH into each instance, create a user account called
ssmadmin, and add this user to the/etc/sudoers.ddirectory. - D) Attach an IAM instance profile to each EC2 instance that includes the
AmazonSSMManagedInstanceCoremanaged policy.
Google adsense #
leave a comment:
Correct Answer #
D
Quick Insight: The SysOps Imperative #
AWS Systems Manager depends critically on the IAM instance profile attached to the EC2 instances that authorizes Systems Manager API calls. Without the
AmazonSSMManagedInstanceCorepermissions, even with the agent installed, instances won’t register as managed.
Content Locked: The Expert Analysis #
You’ve identified the answer. But do you know the implementation details that separate a Junior from a Senior?
The Expert’s Analysis #
Correct Answer #
Option D
The Winning Logic #
AWS Systems Manager requires EC2 instances to authenticate and authorize their interaction with Systems Manager endpoints via an IAM instance profile. The minimal set of permissions needed is bundled in the AmazonSSMManagedInstanceCore managed policy. This policy grants the Systems Manager Agent (SSM Agent) permissions to:
- Connect securely to the Systems Manager service.
- Send instance metadata and state information.
- Download software, run commands, and execute SSM documents.
Amazon Linux 2 AMIs have the SSM Agent pre-installed and enabled by default, so no manual installation or user/account creation is required for basic management. However, if the instance does not have an appropriate IAM instance profile attached with this policy, it will never appear as a managed instance in the Systems Manager console.
The Trap (Distractor Analysis) #
- Why not A? Manual SSM Agent installation is not required for Amazon Linux 2 AMIs, which come with the agent pre-installed; installing again is redundant and error-prone. Also, lacking the proper IAM role still makes the instance invisible to Systems Manager.
- Why not B? TLS certificates issued by ACM are not required for SSM communications; SSM uses mutual TLS under the hood with credentials provided by the IAM role, so this is irrelevant extra work.
- Why not C? Creating local users on the instance does not impact the SSM Agent’s ability to communicate with Systems Manager — permissions are handled via IAM policies, not OS user accounts.
The Technical Blueprint #
# Attaching the IAM instance profile to existing EC2 instances via CLI:
aws ec2 associate-iam-instance-profile \
--instance-id i-0123456789abcdef0 \
--iam-instance-profile Name=SSMManagedInstanceProfile
IAM Role example policy attachment:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:*",
"ec2messages:*",
"cloudwatch:PutMetricData",
"ec2:DescribeInstanceStatus"
],
"Resource": "*"
}
]
}
The Comparative Analysis #
| Option | Operational Overhead | Automation Level | Impact |
|---|---|---|---|
| A | High (manual installs) | Low | Won’t work without IAM permissions; waste of time |
| B | Very High (irrelevant) | None | Unnecessary complexity; no effect on SSM visibility |
| C | High (manual user mgmt) | None | No impact on Systems Manager integration |
| D | Low (attach role once) | High | Correct; enables secure, automated Systems Manager management |
Real-World Application (Practitioner Insight) #
Exam Rule #
For the exam, always pick Attach IAM Role with AmazonSSMManagedInstanceCore when you see EC2 managed instances not appearing in Systems Manager after using a supported AMI.
Real World #
In production, besides attaching IAM roles, you’ll often verify SSM Agent status and cloud networking (outbound internet or VPC endpoints) to ensure connectivity, but IAM roles are non-negotiable prerequisites.
(CTA) Stop Guessing, Start Mastering #
Disclaimer
This is a study note based on simulated scenarios for the AWS SOA-C02 exam.